Electronic devices and systems potentially offer many of the same benefits to the process of conducting elections that they have already delivered to the worlds of finance and business. Unfortunately, the requirement for ballot secrecy, along with the high degree of complexity possible in today's devices, makes it impossible for the general voting population to directly infer that systems tasked with collecting and counting votes are behaving accurately and honestly.

We describe how techniques from mathematics and cryptography can impose a rigid structure on the election data itself to resolve this dilemma. Such structure allows the simultaneous requirements for secrecy and transparency to be satisfied without demanding that the hardware and software that process the data be trusted. Voters can track their own ballots through to the final count, and dispute any discrepancy between it and their intended choices, even though they are not provided with any evidence that can prove to someone else which candidates, or issues, they voted for.

The webcast and presentations are all available here. My presentation is available here and replay can be found 01:59:29 into the webcast. I also mentioned a couple of background papers that explain the VHTi receipt technology:

On September 7, Nevada residents were able to vote with a DRE outfitted with contemporaneous paper record (aka, a voter-verified paper ballot or VVPB). The experiment was summarized by Dan Tokaji with press links and election official reaction.

My take: Two significant issues emerged from anecdotal evidence of those observing the election. First, 80-90% of voters did not compare the paper record to the voting machine. Second, of those voters that did compare the paper record, it took them 30-60% more time to vote. Both of these issues should be confirmed with scientific data.

The first issue of voters ignoring the paper record portends the very serious situation that I describe here. If the paper record is not a source document prepared (or even reviewed) by the voter, how can it be used in a recount?

On August 15, 2004, 9.6 million Venezuelans voted using 19,200 electronic voting machines in nearly 4,600 polling places. These voting machines produced both an electronic ballot and paper ballot backups to be used in case of recount. The official results showed that Chavez won 59% to 41%, an 18% margin of victory.

This single-race election was hotly contested and observed by The Carter Center and the Organization of American States (OAS). The Carter Center published areport of the audit phase of the election.

The conclusion of the analysis is that the Venezuelan paper ballot audit was largely ineffective because (1) the machine and ballot chain-of-custody was breached, and (2) the post-election audit would not have detected manipulation of 5.5% of the ballots, allowing a swing of 11% of the vote. Luckily, the 18% margin of victory turned out to be larger than the fraud rate detectable by the audit. If the election was closer than 11%, the audit would have been inconclusive and the Venezuelan people would have had no basis for confidence in their election results.

Regardless of the type of voting system used in an election, care must be taken to ensure that systems and procedures before, during, and after the election are carefully designed to produce provably confident results.

Unfortunately, paper ballot audit systems are especially prone to procedural problems as evidenced in the recent Zimbabwe elections and alleged in the Venezuelan recall. In fact, paper ballot-based systems have long suffered fraud and error precisely because they are so dependent upon perfect procedural design and execution, which present so many opportunities for fraudulent disruption. The New York Times alone has documented 800 cases of electoral fraud over the past 150 years -- one case every 69 days.

When conducting Election Day audits, it is vital to determine the efficacy of any audit strategy. The number of machines, precincts, ballots, or receipts must be chosen carefully to statistically guarantee that if fraud is attempted, it is surely caught.

An Associated Press story reports on a challenge to inspect VoteHere's VHTi technology. Here's a few excerpts:

Rebecca Mercuri, a Harvard University-affiliated research fellow, encouraged hackers to inspect software code made available on the Internet by VoteHere, an electronic voting software company based in Bellevue, Wash., and called upon other voting machine vendors to make their codes and products available.

[snip]

Mercuri said her challenge was in response to a similar bet issued by Michael Shamos, a Carnegie Mellon University computer scientist and voting technology consultant. Shamos has promised $10,000 to anyone who can hack into a voting machine undetected.

[snip]

"Anybody can hack into anything," Shamos said. "I can break into a bank. The question is are they going to know the money is gone."

[snip]

A challenge was issued to VoteHere founder Jim Adler said his company published the code to its patented election security software hoping people would test it.

Adler said the key to ensuring the integrity of e-voting is detection.

"This is not about preventing fraud. This is about detecting fraud," Adler said. "What you want is to have enough transparency so you can detect when fraud happens."

Transparency is the best way to ensure that any election problem, whether malicious or accidental, is detected. As discussed here, it is always good to build big fences, but it is critical to have a dog that barks when intrusions occur. By providing voters with a private receipt to verify their vote was counted properly and providing the public with a meaningful audit of results, VHTi is that guard dog.

In today's Wall Street Journal, John Fund opines on electronic voting. He notes that (1) better technology is on the way (like VoteHere's VHTi which Fund describes quite well), and (2) some states aren't waiting and jumping toward untested solutions like the voter-verified paper ballot (VVPB, aka contemporaneous paper record or CPR):

Fixes for the real problems with DREs are in the works. Woefully inadequate federal standards for testing voting machines are being toughened. A system is being developed in which each voter would receive a record of his choices that would be put into a code only decipherable by election judges. After the polls closed, all receipts would be posted on the Internet. Voters could use their serial number to find the image of their receipt, and make sure it matched the one they got at the polls. [emphasis mine]

Also, last Friday's Computerworld had an article discussing how the Kerry campaign is considering cryptographic solutions to e-voting:

However, speaking on condition of anonymity, an IT industry source who met last week with members of Sen. John Kerry's staff said the Kerry campaign is considering a move to pull back from the position taken by the Democratic National Committee and Howard Dean's Democracy for America organization. Dean and the DNC have endorsed the voter-verifiable paper ballot requirement for e-voting systems -- something that only the state of Nevada has planned for November. According to the official, the Kerry campaign is considering support for verification of the final vote tally through some form of encryption. [emphasis mine]

My take: It is becoming increasingly clear that encrypted private receipts and public audit are the keys to ensuring high integrity e-voting. These receipts can be taken out the poll-site, cannot be used for vote-selling, but can be used to ensure that every vote is counted properly.

Also, the public audit means that anyone can perform a meaningful audit of the election results. The VVPB cannot do this. As discussed here, the VVPB cannot be used for recount and does not allow the voter to verify their vote was counted properly.

The [CPR or voter-verified paper ballot type] receipt issue is temporary. There are elegant cryptographic methods that enable a voter to be assured from purely public records that her vote has counted--yet without being able to prove that fact to a vote buyer.

Professor Shamos has inspected and certified voting systems for Pennsylvania and Texas. Also included in the debate were Dan Tokaji (Assistant Professor, Ohio State Moritz College of Law), David Dill (Founder of VerifiedVoting.org and Computer Science Professor, Stanford University), and Cindy Cohn (Legal Director, Electronic Frontier Foundation).

My take: Professor Shamos refers to a voter-verified receipt offered by VoteHere and others. A true voter-verified receipt allows a voter to verify that their vote actually counted without enabling vote buying. A voter-verified receipt is superior to a CPR (contemporaneous paper replica, aka voter-verified paper ballot/record) since a voter has no idea whether the paper replica will ever be counted. Also, as discussed here, a CPR is ineffective for recounts.

Tommy Peterson, Computerworld's Technical Editor, offers this opinion on e-voting. She makes two important points. First, she cautions that the contemporaneous paper replica (CPR, aka voter-verified paper ballot/trail) is not the answer:

Setting up a parallel paper trail for voters within an e-voting system, as some have suggested, is not the answer. That would be cumbersome, threaten the secrecy of the ballot and still leave the system open to tampering.

Second, she makes the point that voters need a means to verify that their vote counted:

The use of blind-signature encryption protocols could preserve secret balloting while giving voters a means to verify election results.

My take: There is growing awareness that CPR provides only the perception of confidence and doesn't provide the real confidence gained from voters having the means to verify that their vote was actually counted properly. Although Ms. Peterson mentions early, and important, "blind signature" approaches to voter verification, they have been generally eclipsed by more advanced voter-verified receipts that provide such capability.

A good article in the UK Register by Thomas C Greene which logically discusses the flaws of adding a contemporaneous paper replica (CPR, referred to in this article as the voter's receipt or paper record) to an electronic voting machine or DRE. Here are a few of the more interesting points:

But the piece of paper creates an illusion of enhanced security, which is why so many people insist in it. People imagine that, so long as the printout matches their recollection of votes cast, it's proof that the DRE machine is recording their votes properly. In fact, it's no such thing.

[snip]

There is no logical reason for a voter to assume that the printout in his hand, and the electronic tabulation in the machine, are the same. Numerous types of attack could produce an accurate record of voter choice on paper, yet still tweak the electronic results. And if the two results should differ, there is no way for the voter to know it. [discussed here - jma]

[snip]

The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected. Many ballots are long and confusing, so the idea that even a majority of voters would bother to scrutinize theirs is hardly guaranteed.

[snip]

... if voters neglect to examine their receipts carefully before submitting them, they're worthless - there's no basis for trusting them more than any other result. [discussed here - jma]

My take: Mr. Greene criticizes CPR on many of the same points made by the election community here in the US. If the efficacy of CPR is theoretically questionable and has yet to be practically proven, why are so many trying to prematurely make it the law?